This review is neither solicited, nor compensated. I have no affiliation with mailbox.org, other than as a happy customer.

It is no secret that I use mailbox.org: Their mailer hostnames are in the MX and related records for nym.zone, plus in the headers of all mail received from me (including by publicly archived mailing lists).

Although mailbox.org is popular on some other “crypto” forums, the only discussion I could find here is a German thread from 2015. Thus, I wish to tell Bitcoin Forum users of my experience with this service. Rather than writing a wall of prose, I will reduce the major points to three separate bulleted lists: Positive,Neutral, and Negative.

Note: mailbox.org offers a plethora of features, most of which are unused and untested by me. I can only review their core service: E-mail, sent from/downloaded to my own localhost.

TL;DR: Overall, highly recommended for pseudonymous users who want reliable service and strong anti-spam for €1/month, payable in Bitcoin.

Positives:

Friendly to anonymous/pseudonymous customers. They explicitly state that “anonymous registration at mailbox.org is absolutely possible”. The only information they ask at signup is a name—which they explicitly hint that they cannot verify—plus a country for VAT reporting purposes (also unverifiable), and a language for the Web app user interface.

Excellent anti-spam protection. The company which provides this service, Heinlein Support GmbH, does antispam as their bread and butter. I have been freely spreading my address nullius@nym.zone around the Web and on mailing lists, with no attempt to obfuscate it. I receive very little spam; and whatever spam I have recently received seems to be targeted to Bitcoin Forum users (ICO spam).

Anti-spam system properly rejects with SMTP 5xx. No junk folder to silently eat false-positive messages! (I think they may (?) have recently added a “junk folder” option; but if so, it is optional and opt-in. Avoid.)

.onion site, kqiafglit242fygz.onion, for access to POP, IMAP, and XMPP services—albeit not for the Web interface, which is necessary to control account settings and payment. They also run their own Tor exit, which can be pinned; I myself don’t do this. Their Tor information page discusses both their exit and their .onion.

Reliable service. In my time as a customer thus far, I have never seen the service go down, or show any other signs of unreliability.

Well-established company. mailbox.org was started in 2013; but the people running it have been providing some form of network services since 1989 (!). The providing company has existed since 1992. In an era fraught with flaky startups, I feel more comfortable knowing that my e-mail will not likely disappear due to dumb hipster “founder” kids either flaking out, or getting “acqui-hired” by Google.

TLS certificates verifiable through DANE.(Untested by me, since DANE does not work through Tor; I’d need to make as special effort.)

Network-level communiations privacy between servers can help lessen the exposure of metadata (not protected by PGP) to network observers. To this end, mailbox.org attempts to use TLS for all incoming and outgoing SMTP sessions with other MXes. They also provide an option through which you may refuse all mail not sent over TLS; however, this can cause you to be unable to communicate with people who use incompetently managed mailservers.

All mailbox users also have a special alias which can only receive mail via SMTP over TLS; mine is <nullius@secure.mailbox.org>. If you want to test whether your mailserver can do outgoing TLS properly, try sending me a “hello” at that address, and see if it gets rejected!

Reasonable prices. For those who download and delete mail, unless you need lots of aliases for domains, it should never be necessary to buy more than the €1/month service level with a 2 GB mail quota. Webmail users who need more space (or those who use the “Office” features I have not tested) have many other service options, all of which seem cost-effective for the resources provided.

Paid service. Yes, that’s a positive. So-called “free” e-mail never is: If you’re not the (paying) customer, then you are the product. I am a mailbox.org customer.

Payable in Bitcoin (but see negative below: Bitpay).

30-day free trial.

Neutral characteristics:

Webmail “Guard” PGP features. I myself do not use this, and have not tested it. I think that overall, against real-world threats, it looks about as trustworthy as Protonmail; yet it has the significant advantage that unlike Protonmail, you can use it to communicate with all PGP users in the world, not only local users of the same service. I think that this is a good “medium security” solution for people who need userfriendly webmail. I would recommend that paid Protonmail users switch, and save some money: For 5GB of quota, mailbox.org costs €2.50/month, whereas Protonmail costs €5/month (€4/month if paid annually). Those who need or desire high security MUST always use private keys which never in any way leave their own hardware.This German-language discussion seems savvy.

Side note: I myself would prefer to correspond with security experts who use their own keys on their own hardware. However, knowing one’s correspondent is integral to opsec; and I know that I can only assess the expertise of a correspondent by evaluating the human element. I would rather suggest that n00bs use mailbox.org Guard from their malware-infested PCs than try to tell them how to manage PGP private keys on the same computers from which their bitcoins get stolen.

Bitpay. #NO2X, “WE WILL NEVER FORGET.” I don’t totally boycott all Bitpay services; but a service must be truly excellent for me to endure grinding my teeth whilst sending precious bitcoins to a Bitpay address. @mailbox.org, please consider setting up your own node!

Even for POP/IMAP users, the Web interface must be used for account settings and payment purposes; and the Web interface requires Javascript, lots of Javascript. Besides being unfriendly to people who disable Javascript for security reasons, the gobs of Javascript are slow to download over Tor.

Google CAPTCHA required (only) at signup. (They actually apologize for this on the signup page.)

“Guard” PGP features (untested/unused by me) require some level of trust in mailbox.org. As said above, I think overall their setup looks about as safe as Protonmail. With Protonmail, the server could perform a targeted attack by provoding Javascript which phones home the decrypted private key; with mailbox.org Guard, the server decrypts the private key, and could keep it that way if desired. Really, what’s the substantive difference?

I will update this review if/as necessary from further experience with mailbox.org.

Version history:

2018-03-11: Initial post.

This thread is self-moderated for reason that due to experience with spam and trolls, I self-moderate all threads started by me unless there be a good reason to do otherwise.

Located in Berlin, Germany, without connection to the Land of the Free NSL. Servers physically located in Berlin. Subject to German data protection laws. Clear Data Privacy Statement.

Regarding this point, isn't Germany a part of the infamous Fourteen Eyes (details well summarized by Privacy Tools)

Quote

The UKUSA Agreement is an agreement between the United Kingdom, United States, Australia, Canada, and New Zealand to cooperatively collect, analyze, and share intelligence. Members of this group, known as the Five Eyes, focus on gathering and analyzing intelligence from different parts of the world. While Five Eyes countries have agreed to not spy on each other as adversaries, leaks by Snowden have revealed that some Five Eyes members monitor each other’s citizens and share intelligence to avoid breaking domestic laws that prohibit them from spying on their own citizens. The Five Eyes alliance also cooperates with groups of third party countries to share intelligence (forming the Nine Eyes and Fourteen Eyes), however Five Eyes and third party countries can and do spy on each other.

The part in bold being the German part. Not to mention they have been plans from the German side to align themselves with the five eyes, as per a suitably cited Wikipedia articel

Quote

Germany is reportedly interested in moving closer to the inner circle: an internal GCHQ document from 2009 said that the “Germans were a little grumpy at not being invited to join the 9-Eyes group." Germany may even wish to join Five Eyes

And to quote another article

Quote

According to summit participants, the German chancellor seemed far more interested in the "Five Eyes" alliance among the US, the UK, Australia, New Zealand and Canada. The top-level allies within this exclusive group, which began in 1946 as a pact between London and Washington, have agreed not to spy on one another, but instead to share information and resources. In Brussels, Cameron stressed to his fellow leaders how many terrorist attacks had been prevented by successful intelligence work.

Merkel, meanwhile, stated: "Unlike David, we are unfortunately not part of this group." According to the New York Times, Germany has sought membership in the "Five Eyes" alliance for years, but has been turned down due to opposition, including from the Obama administration. But this could now change, the paper speculates.

So there's a highly chance that Germany may soon change their stance on the issue of privacy especially now that the leadership of the US has changed from the Obama administration which rejected their plea to a new one

Very interesting article nullius, thanks. I think the one Negative bit is just too much to overcome at the moment (BitPay). The issue with wanting a good service, especially one so important as a pseudonymous email, isn't with the price but with the ease of maintaining it. BitPay is impossible for me to use (and I want to avoid it anyway).

The secondary issue, but also important: how we can be secure in the knowledge that the email service won't just disappear? I got really upset when Sigaint went down and it was doing so well!